https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ipsec-clarification/m-p/576453#M115696 <P>Yeah, that's a good point. I am going to be more largely affected by an outage here at my office than at the other end, simply because we don't access the remote end every day at every location, but we access "some" locations every day. Perhaps the more economical solution is to build gateways and tunnels from 2 of my IPs to one at the remote end, that way I don't lose access to every location when the one ISP goes down. It doesn't happen often, but when it does I don't want to lose access entirely.</P> Wed, 07 Feb 2024 14:12:12 GMT MattPardue 2024-02-07T14:12:12Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ipsec-clarification/m-p/576300#M115676 <P>I'm moving from a Cisco ASA to a Palo Alto firewall for the first time. I've imported the config to Expedition and am prepping it for import to the firewall, but I noticed only the first of my crypto peers for each tunnel was imported to an IKE gateway. After some research it seems I'm going to need a separate IKE gateway for each remote peer as well as for each local interface from which my tunnel needs to connect.</P> <P>&nbsp;</P> <P>So, for instance, assuming I have two WAN interfaces on my local firewall and the remote end has two WAN IPs, and on each side we're connecting a single subnet to the tunnel, then I would need the following IKE gateways:</P> <P>&nbsp;</P> <P>Local WAN1 -&gt; Remote WAN1</P> <P>Local WAN1 -&gt; Remote WAN2</P> <P>Local WAN2 -&gt; Remote WAN1</P> <P>Local WAN2 -&gt; Remote WAN2</P> <P>&nbsp;</P> <P>In Expedition I can't seem to add an IKE gateway to test, but on the firewall if I add each of the gateways mentioned above then I presume that adds tunnel interfaces for each, then I just add the tunnel to the corresponding trust zone?</P> <P>&nbsp;</P> <P>Does that all sound right, or am I completely botching this? Is there a better way to create tunnels that can utilize either of my WAN interfaces and multiple peer IPs?&nbsp;</P> <P>&nbsp;</P> <P>Thanks for any help anybody can provide and I apologize if I'm missing something obvious here.&nbsp;</P> Tue, 06 Feb 2024 18:03:15 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ipsec-clarification/m-p/576300#M115676 MattPardue 2024-02-06T18:03:15Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ipsec-clarification/m-p/576420#M115688 <P>you are right</P> <P>&nbsp;</P> <P>an IKE Gateway needs to be created for each IP pair so if you have 2 ISPs and the remote has 2 isps and you want to full mesh all pairs, you would need 4 ike gateway objects and 4 ipsec tunnel objects</P> <P>&nbsp;</P> <P>On the other hand: Does it make sense to full mesh all pairs, is it likely both sides will have a simultaneous outage on one of their ISPs ?</P> Wed, 07 Feb 2024 10:13:40 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ipsec-clarification/m-p/576420#M115688 reaper 2024-02-07T10:13:40Z https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ipsec-clarification/m-p/576453#M115696 <P>Yeah, that's a good point. I am going to be more largely affected by an outage here at my office than at the other end, simply because we don't access the remote end every day at every location, but we access "some" locations every day. Perhaps the more economical solution is to build gateways and tunnels from 2 of my IPs to one at the remote end, that way I don't lose access to every location when the one ISP goes down. It doesn't happen often, but when it does I don't want to lose access entirely.</P> Wed, 07 Feb 2024 14:12:12 GMT https://live.paloaltonetworks.com/t5/general-topics/site-to-site-ipsec-clarification/m-p/576453#M115696 MattPardue 2024-02-07T14:12:12Z